The term “phishing” was first coined in 1996. Sophisticated, well-organized phishing campaigns began in earnest in 2003 specifically targeting PayPal users. Phishing links quickly grew to become the number one successful hacking attack. Even to this day, phishing links have continued to be the number one successful hacking attack. Despite state-of-the-art measures by those skilled in the art, solving the problem of phishing links remains a long sought, deeply-felt need.
Phishing links trick users into visiting malicious websites, which then mimic well-known sites (e.g., banking websites) or instantly install malware on the user's computer. Via the installed malware, the hacker can then capture all keystrokes and more, gaining login credentials and a host of other compromising information.
The number of successful hacking attacks via malicious websites continues to escalate despite widespread use of state-of-the-art security measures. In providing protection against visiting malicious sites, current systems and methods generally offer three security measures:
(i) Blacklists are used to prevent users from visiting known malicious sites.
(ii) Email clients show the sender of the email; and browsers display the URL of each link when the cursor is hovering over the link.
(iii) Links are scanned in real time to determine whether they contain any malicious code and whether they redirect to other sites serving malicious code.
Hackers have adopted methodologies that routinely defeat all three security measures above. For example, a study conducted by Webroot revealed an average of 1.4 million unique phishing websites are created every month, with the majority only online for between four and eight hours. Most of these phishing websites pretend to be high-profile technology and banking firms. This technique keeps the first security method (blacklists) continually out of date, and therefore, ineffective.
Spear phishing attacks involve imitating trusted senders. For example, out of the 537,617 spear phishing attacks analyzed by Great Horn: 490,557 used faked display names, 44,726 altered the email's header contents (including the “from” field and other fields), and 2,337 used domain names that looked like trusted domains. These commonly employed tactics actually use the display of sender name against the user. Ironically, the second security method above (sender display) can be used to actually encourage users to trust the spear phishing email. This makes the security method not only ineffective, but even harmful.
The inherent weaknesses of the first two methods led to the current state-of-the-art security method: link scanning. Unfortunately, link scanning solely provides the illusion of security while being trivial for hackers to circumvent. Hackers circumvent link scanning in a simple, straightforward manner: when a security service accesses the link, the hacker's server sends the security service to a clean site; but when a victim's computer accesses the very same link, the server sends the victim to a malicious site. Links are dynamic, not static. Links are easily programmed to have different behaviors for different IP addresses. Therefore, security services are scanning behaviors that are different from the ones that victims will encounter. Thus, the security service renders the link “good”; the user trusts the “good” rating, and then proceeds to get hacked.
Since link scanning is currently in vogue among those skilled in the art, it is worthwhile to explore how easily this security is circumvented. If a security service uses the same IP address to scan links (or the same group of IP addresses) then hackers simply program the links to exhibit good behavior whenever one of those IP addresses is encountered. If a security service uses proxied IP addresses, then the hacker simply needs to send two emails (instead of one) to complete the attack. After all, the security service will have two different IP addresses for the two emails while the victim will likely have one common IP address when opening the two emails. Hence, the second email can then send the common IP address (the victim's IP address) to a malicious site; thereby completing the attack.
In an attempt to overcome the above, link scanning can be implemented on the client device itself. However, this also presents its own problems. First, this method inherently provides the user's IP address to hackers (perhaps for emails that the user might not even click on). Secondly, hackers easily insert simple behavioral tests to determine whether the link is being scanned or actually being accessed by a user. For example, link scanners running on a client device normally would not execute arbitrary code on that device (otherwise that would be a huge security hole). Therefore, the hacker's server simply includes arbitrary test code in the first returned link. If the code is not executed, then the link subsequently redirects to a clean site. But if the test code is executed (i.e., when the user accesses the link) then the link subsequently redirects to a malicious site.
The creative variability of link behavior is demonstrated by the recent 2018 attacks on US government officials. As reported by The Daily Beast: “The attempt against McCaskill's office [in 2018] was a variant of the password-stealing technique used by Russia's so-called ‘Fancy Bear’ hackers against Clinton's campaign chairman, John Podesta, in 2016.”
“The hackers sent forged notification emails to Senate targets claiming the target's Microsoft Exchange password had expired, and instructing them to change it. If the target clicked on the link, he or she was taken to a convincing replica of the U.S. Senate's Active Directory Federation Services (ADFS) login page, a single sign-on point for e-mail and other services.”
“As with the Podesta phishing, each Senate phishing email had a different link coded with the recipient's email address.” (www.thedailybeast.com/russian-hackers-new-target-a-vulnerable-democratic-senator, bracket annotation added)
Encoding the recipient's email address within the link empowers the hacker's server to customize the link behavior based on the recipient. Furthermore, if the hacker has a database matching email addresses to IP addresses (a trivial database to build automatically) then the hacker can send victims to a malicious site (via their IP addresses), while sending government security scanners to a clean site (since the security scanner IP addresses will not match the IP address corresponding to the email).
The bottom line is that links are dynamic. Link behavior is entirely up to the creativity of the hacker. Hence there is literally an infinite, unlimited number of ways in which any given link can behave. This has, until now, provided hackers with a seemingly insurmountable advantage. This has, until now, seemed to be an intractable problem for those skilled in the art.